Bump the npm_and_yarn group across 4 directories with 26 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: vitest.
Bumps the npm_and_yarn group with 3 updates in the /examples/cloudflare-workers directory: cookie, esbuild and wrangler.
Bumps the npm_and_yarn group with 16 updates in the /examples/create-react-app directory:

Package	From	To
body-parser	1.20.2	1.20.4
express	4.19.2	4.22.1
brace-expansion	1.1.11	1.1.12
brace-expansion	2.0.1	2.0.2
cross-spawn	7.0.3	7.0.6
js-yaml	3.14.1	3.14.2
js-yaml	4.1.0	4.1.1
lodash	4.17.21	4.17.23
nanoid	3.3.7	3.3.11
rollup	2.79.1	2.79.2
node-forge	1.3.1	1.3.3
ws	8.15.1	8.19.0
ws	7.5.9	7.5.10
@babel/helpers	7.20.13	7.28.6
form-data	3.0.1	3.0.4
http-proxy-middleware	2.0.6	2.0.9
on-headers	1.0.2	1.1.0
serialize-javascript	6.0.1	6.0.2
webpack	5.94.0	5.105.2

Bumps the npm_and_yarn group with 2 updates in the /examples/vite-vue directory: esbuild and vite.

Updates vitest from 2.0.5 to 2.1.9

Release notes

Sourced from vitest's releases.

v2.1.9

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963
• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v2 - by @​hi-ogawa in vitest-dev/vitest#7318
• (backport #7340 to v2) restrict served files from /__screenshot-error - by @​hi-ogawa in vitest-dev/vitest#7343

    View changes on GitHub

v2.1.8

   🐞 Bug Fixes

• Support Node 21  -  by @​sheremet-va (92f7a)

    View changes on GitHub

v2.1.7

   🐞 Bug Fixes

• Revert support for Vite 6  -  by @​sheremet-va (fbe5c)
  • This introduced some breaking changes (vitest-dev/vitest#6992). We will enable support for it later. In the meantime, you can still use pnpm.overrides or yarn resolutions to override the vite version in the vitest package - the APIs are compatible.

    View changes on GitHub

v2.1.6

🚀 Features

• Support Vite 6

    View changes on GitHub

v2.1.5

   🐞 Bug Fixes

• dangerouslyIgnoreUnhandledErrors without base reporter  -  by @​AriPerkkio in vitest-dev/vitest#6808 (0bf0a)
• Capture unhandledRejection even when base reporter is not used  -  by @​AriPerkkio in vitest-dev/vitest#6812 (8878b)
• Don't change the working directory when loading workspace projects  -  by @​sheremet-va in vitest-dev/vitest#6811 (f0aea)
• Remove sequence.concurrent from the RuntimeConfig type  -  by @​sheremet-va in vitest-dev/vitest#6880 (6af73)
• Stop the runner before restarting, restart on workspace config change  -  by @​sheremet-va in vitest-dev/vitest#6859 (b01df)
• Don't rerun on Esc or Ctrl-C during watch filter  -  by @​hi-ogawa in vitest-dev/vitest#6895 (98f76)
• Print ssrTransform error  -  by @​hi-ogawa in vitest-dev/vitest#6885 (4c96c)
• Throw an error and a warning if .poll, .element, .rejects/.resolves, and locator.* weren't awaited  -  by @​sheremet-va in vitest-dev/vitest#6877 (93b67)
• browser:
  • Don't process the default css styles  -  by @​sheremet-va in vitest-dev/vitest#6861 (0d67f)
  • Support non US key input  -  by @​hi-ogawa in vitest-dev/vitest#6873 (5969d)

... (truncated)

Commits

• c9e59a0 chore: release v2.1.9
• e0fe1d8 fix: backport #7317 to v2 (#7318)
• d69cc75 bump: 2.1.8
• 92f7a2a fix: support Node 21
• 81ed45b chore: release v2.1.7
• fbe5c39 fix: revert support for Vite 6
• b936702 bump: 2.1.6
• 32f23b9 chore: release v2.1.5
• 417bdb4 fix(browser): init browsers eagerly when tests are running (#6876)
• 93b67c2 fix: throw an error and a warning if .poll, .element, .rejects/`.resolv...
• Additional commits viewable in compare view

Updates cookie from 0.5.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates esbuild from 0.17.19 to 0.27.3

Release notes

Sourced from esbuild's releases.

v0.27.3

• Preserve URL fragments in data URLs (#4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2023

This changelog documents all esbuild versions published in the year 2023 (versions 0.16.13 through 0.19.11).

0.19.11

• Fix TypeScript-specific class transform edge case (#3559)

  The previous release introduced an optimization that avoided transforming super() in the class constructor for TypeScript code compiled with useDefineForClassFields set to false if all class instance fields have no initializers. The rationale was that in this case, all class instance fields are omitted in the output so no changes to the constructor are needed. However, if all of this is the case and there are #private instance fields with initializers, those private instance field initializers were still being moved into the constructor. This was problematic because they were being inserted before the call to super() (since super() is now no longer transformed in that case). This release introduces an additional optimization that avoids moving the private instance field initializers into the constructor in this edge case, which generates smaller code, matches the TypeScript compiler's output more closely, and avoids this bug:

  // Original code
  class Foo extends Bar {
    #private = 1;
    public: any;
    constructor() {
      super();
    }
  }
  // Old output (with esbuild v0.19.9)
  class Foo extends Bar {
  constructor() {
  super();
  this.#private = 1;
  }
  #private;
  }
  // Old output (with esbuild v0.19.10)
  class Foo extends Bar {
  constructor() {
  this.#private = 1;
  super();
  }
  #private;
  }
  // New output
  class Foo extends Bar {
  #private = 1;
  constructor() {
  super();
  }
  }

• Minifier: allow reording a primitive past a side-effect (#3568)

  The minifier previously allowed reordering a side-effect past a primitive, but didn't handle the case of reordering a primitive past a side-effect. This additional case is now handled:

... (truncated)

Commits

• 9129e00 publish 0.27.3 to npm
• e20e411 small fix to release notes
• 0dc0f2d fix #4322: parse and print CSS @scope rules
• 55fe391 update firefox css gradient support
• 2c35297 update gradient lowering transform
• 9209e44 Update Go to 1.25.7 (#4388)
• e8d861b close #4374: compat table for the using feature
• 19b8887 no longer need williamkapke/node-compat-table
• 7e44218 the kangax/compat-table repo moved to a new url
• 23b9338 run make update-compat-table
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates wrangler from 3.22.1 to 4.65.0

Release notes

Sourced from wrangler's releases.

wrangler@4.65.0

Minor Changes

• #12473 b900c5a Thanks @​petebacondarwin! - Add CF_PAGES environment variables to wrangler pages dev

  wrangler pages dev now automatically injects Pages-specific environment variables (CF_PAGES, CF_PAGES_BRANCH, CF_PAGES_COMMIT_SHA, CF_PAGES_URL) for improved dev/prod parity. This enables frameworks like SvelteKit to auto-detect the Pages environment during local development.

  • CF_PAGES is set to "1" to indicate the Pages environment
  • CF_PAGES_BRANCH defaults to the current git branch (or "local" if not in a git repo)
  • CF_PAGES_COMMIT_SHA defaults to the current git commit SHA (or a placeholder if not in a git repo)
  • CF_PAGES_URL is set to a simulated commit preview URL (e.g., https://<sha>.<project-name>.pages.dev)

  These variables are displayed with their actual values in the bindings table during startup, making it easy to verify what branch and commit SHA were detected.

  These variables can be overridden by user-defined vars in the Wrangler configuration, .env, .dev.vars, or via CLI flags.

• #12464 10a1c4a Thanks @​petebacondarwin! - Allow deleting KV namespaces by name

  You can now delete a KV namespace by providing its name as a positional argument:

  wrangler kv namespace delete my-namespace

  This aligns the delete command with the create command, which also accepts a namespace name. The existing --namespace-id and --binding flags continue to work as before.

• #12382 d7b492c Thanks @​dario-piotrowicz! - Add Pages detection to autoconfig flows

  When running the autoconfig logic (via wrangler setup, wrangler deploy --x-autoconfig, or the programmatic autoconfig API), Wrangler now detects when a project appears to be a Pages project and handles it appropriately:

  • For wrangler deploy, it warns the user but still allows them to proceed
  • For wrangler setup and the programmatic autoconfig API, it throws a fatal error

• #12461 8809411 Thanks @​penalosa! - Support type: inherit bindings when using startWorker()

  This is an internal binding type that should not be used by external users of the API

• #12515 1a9eddd Thanks @​ascorbic! - Add --json flag to wrangler whoami for machine-readable output

  wrangler whoami --json now outputs structured JSON containing authentication status, auth type, email, accounts, and token permissions. When the user is not authenticated, the command exits with a non-zero status code and outputs {"loggedIn":false}, making it easy to check auth status in shell scripts without parsing text output.

  # Parse the JSON output
  wrangler whoami --json | jq '.accounts'
  Check if authenticated in a script. Returns 0 if authenticated, non-zero if not.
  if wrangler whoami --json > /dev/null 2>&1; then
  echo "Authenticated"
  else

... (truncated)

Commits

• 0ebc50d Version Packages (#12508)
• 56bed52 test(unenv): add test for native modules enabled after 2026-01-29 (#12539)
• f7fa326 Bump the workerd-and-workers-types group with 2 updates (#12541)
• b9c5c7a test: refactor --json tests (#12511)
• 9873579 Part 6️⃣ of removing CfWorkerInit["bindings"] (#12491)
• 41e18aa [Wrangler/Workflows] Add warning on deploy of workflows belonging to other wo...
• 6570ded Use vitest#expect from the local context (#12510)
• 10a1c4a [wrangler] Allow deleting KV namespaces by name (#12464)
• 762b547 Update snapshot (#12532)
• ad817dd [wrangler] Use project's package manager in wrangler setup (#12437)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for wrangler since your current version.

Updates nanoid from 3.3.7 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

Commits

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• Additional commits viewable in compare view

Updates wrangler from 3.22.1 to 4.65.0

Release notes

Sourced from wrangler's releases.

wrangler@4.65.0

Minor Changes

• #12473 b900c5a Thanks @​petebacondarwin! - Add CF_PAGES environment variables to wrangler pages dev

  wrangler pages dev now automatically injects Pages-specific environment variables (CF_PAGES, CF_PAGES_BRANCH, CF_PAGES_COMMIT_SHA, CF_PAGES_URL) for improved dev/prod parity. This enables frameworks like SvelteKit to auto-detect the Pages environment during local development.

  • CF_PAGES is set to "1" to indicate the Pages environment
  • CF_PAGES_BRANCH defaults to the current git branch (or "local" if not in a git repo)
  • CF_PAGES_COMMIT_SHA defaults to the current git commit SHA (or a placeholder if not in a git repo)
  • CF_PAGES_URL is set to a simulated commit preview URL (e.g., https://<sha>.<project-name>.pages.dev)

  These variables are displayed with their actual values in the bindings table during startup, making it easy to verify what branch and commit SHA were detected.

  These variables can be overridden by user-defined vars in the Wrangler configuration, .env, .dev.vars, or via CLI flags.

• #12464 10a1c4a Thanks @​petebacondarwin! - Allow deleting KV namespaces by name

  You can now delete a KV namespace by providing its name as a positional argument:

  wrangler kv namespace delete my-namespace

  This aligns the delete command with the create command, which also accepts a namespace name. The existing --namespace-id and --binding flags continue to work as before.

• #12382 d7b492c Thanks @​dario-piotrowicz! - Add Pages detection to autoconfig flows

  When running the autoconfig logic (via wrangler setup, wrangler deploy --x-autoconfig, or the programmatic autoconfig API), Wrangler now detects when a project appears to be a Pages project and handles it appropriately:

  • For wrangler deploy, it warns the user but still allows them to proceed
  • For wrangler setup and the programmatic autoconfig API, it throws a fatal error

• #12461 8809411 Thanks @​penalosa! - Support type: inherit bindings when using startWorker()

  This is an internal binding type that should not be used by external users of the API

• #12515 1a9eddd Thanks @​ascorbic! - Add --json flag to wrangler whoami for machine-readable output

  wrangler whoami --json now outputs structured JSON containing authentication status, auth type, email, accounts, and token permissions. When the user is not authenticated, the command exits with a non-zero status code and outputs {"loggedIn":false}, making it easy to check auth status in shell scripts without parsing text output.

  # Parse the JSON output
  wrangler whoami --json | jq '.accounts'
  Check if authenticated in a script. Returns 0 if authenticated, non-zero if not.
  if wrangler whoami --json > /dev/null 2>&1; then
  echo "Authenticated"
  else

... (truncated)

Commits

• 0ebc50d Version Packages (#12508)
• 56bed52 test(unenv): add test for native modules enabled after 2026-01-29 (#12539)
• f7fa326 Bump the workerd-and-workers-types group with 2 updates (#12541)
• b9c5c7a test: refactor --json tests (#12511)
• 9873579 Part 6️⃣ of removing CfWorkerInit["bindings"] (#12491)
• 41e18aa [Wrangler/Workflows] Add warning on deploy of workflows belonging to other wo...
• 6570ded Use vitest#expect from the local context (#12510)
• 10a1c4a [wrangler] Allow deleting KV namespaces by name (#12464)
• 762b547 Update snapshot (#12532)
• ad817dd [wrangler] Use project's package manager in wrangler setup (#12437)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for wrangler since your current version.

Updates undici from 5.28.4 to 7.18.2

Release notes

Sourced from undici's releases.

v7.18.2

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

What's Changed

• fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… by @​mcollina in nodejs/undici#4729

Full Changelog: nodejs/undici@v7.18.1...v7.18.2

v7.18.1

What's Changed

• Test and Fix running without SSL by @​mcollina in nodejs/undici#4727
• docs: add security warning for strictContentLength option by @​mcollina in nodejs/undici#4726
• build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 by @​dependabot[bot] in nodejs/undici#4718
• build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in nodejs/undici#4719

Full Changelog: nodejs/undici@v7.18.0...v7.18.1

v7.18.0

What's Changed

Full Changelog: nodejs/undici@v7.17.0...v7.18.0

v7.17.0

What's Changed

• chore: extract infra and encoding methods by @​Uzlopak in nodejs/undici#4523
• ci: remove h2 by @​Uzlopak in nodejs/undici#4534
• ci: make nodejs-shared wf reusable, install binaryen for wasm-opt, test on node-nightly by @​Uzlopak in nodejs/undici#4535
• ci: fix nightly shared library case by @​Uzlopak in nodejs/undici#4543
• test: consume bodies of fetch responses to fix failing macos 20 ci by @​Uzlopak in nodejs/undici#4528
• docs: add Cache Interceptor example to README by @​tawseefnabi in nodejs/undici#4393
• test: remove node20 version check by @​Uzlopak in nodejs/undici#4544
• types: use MessagePort instance type in MessageEvent by @​Renegade334 in nodejs/undici#4546
• ci: set write permissions on job level by @​Uzlopak in nodejs/undici#4537
• lint: activate n/no-process-exit by @​Uzlopak in nodejs/undici#4548
• ci: run benchmarks on pull_requests and by pushing on specific branches only by @​Uzlopak in nodejs/undici#4536
• chore: activate n/prefer-node-protocol to enforce 'node:' prefix for requiring node built-ins by @​Uzlopak in nodejs/undici#4547
• feat(H2): correct CONNECT behaviour by @​metcoder95 in nodejs/undici#4541
• test: fix plans by @​Uzlopak in nodejs/undici#4550
• feat: add runtime feature "detection" by @​Uzlopak in nodejs/undici#4545
• perf: use less promises in extractBody by @​Uzlopak in nodejs/undici#4458
• fix(proxy-agent): add missing return after callback-call by @​Uzlopak in nodejs/undici#4553
• fix: remove redundant line in retry-handler by @​Uzlopak in nodejs/undici#4554
• ci: add no-wasm-simd option by @​Uzlopak in nodejs/undici#4533
• fix: use lazyloaders for runtime feature detection by @​Uzlopak in nodejs/undici#4557
• fix: minor changes in dispatcher-base.js and types for Dispatcher by @​Uzlopak in nodejs/undici#4556

... (truncated)

Commits

• 7e5cb2d Bumped v7.18.2 (#4730)
• b04e3cb fix(decompress): limit Content-Encoding chain to 5 to prevent resource exhaus...
• 2bcb77b Bumped v7.18.1 (#4728)
• 58a12b7 build(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#4719)
• 5fa2930 build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 (#4718)
• fbbe283 docs: add security warning for strictContentLength option (#4726)
• ce12d9e fix: do not crash if Node.js is compiled without SSL (#4727)
• ebe3e33 Bumped v7.18.0 (#4725)
• 4e9b88b fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
• d560767 Bumped v7.17.0 (#4724)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates body-parser from 1.20.2 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

• Remove redundant depth check by @​blakeembrey in expressjs/body-parser#538
• ci: add support for Node.js v23 by @​Phillip9587 in expressjs/body-parser#553
• ci: restore CI for 1.x branch by @​bjohansebas in expressjs/body-parser#665
• deps: qs@^6.14.0 by @​bjohansebas in expressjs/body-parser#664
• deps: use tilde notation and update certain dependencies by @​Phillip9587 in expressjs/body-parser#668
• chore: remove SECURITY.md by @​Phillip9587 in expressjs/body-parser#669
• ci: add CodeQL (SAST) by @​Phillip9587 in expressjs/body-parser#670
• Release: 1.20.4 by @​UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

• deps: qs@~6.14.0
• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

• 7db202c 1.20.4 (#672)
• d8f8adb ci: add CodeQL (SAST) (#670)
• 6d133c1 chore: remove SECURITY.md (#669)
• fcd1535 deps: use tilde notation and update certain dependencies (#668)
• ec5fa29 deps: qs@~6.14.0 (#664)
• ffb95c1 ci: restore CI for 1.x branch (#665)
• 48a5f07 ci: add support for Node.js v23 (#553)
• f20f6ad Remove redundant depth check (#538)
• 1752951 1.20.3
• 39744cf chore: linter (#534)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.19.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from